Devastating Vulnerability Affects 66 Percent of Android Phones

SAN FRANCISCO—Most of us aren't stupid enough to click on a window that easily over command of our phones to a stranger. And most of u.s.a. definitely wouldn't do it if our phones kicked up numerous warnings in the procedure. Only researchers at Skycure have demonstrated that they can take control of an Android phone without the victim beingness any the wiser.

At the RSA Conference here, Skycure researchers volition share their enquiry with the gathered attendees. PCMag received a private briefing on the research from Skycure CTO Yair Amit prior to the public annunciation—afterward Skycure took command of my iPhone during a call to prove a point.

The attack uses the Android accessibility framework, which is designed to assist users become the most out of their phones, even if they are visually dumb or have difficulty typing, for example. But under malicious control, Amit explained, the accessibility framework tin can be used to monitor user activeness and take actions without users' knowledge.

Normally, activating the accessibility tools requires diving through a series of menus and confirming your option on several screens. These are powerful tools, and you lot are warned repeatedly by the operating system that granting access to the framework can expose your personal data. But Skycure is able to circumvent these warnings using a technique called clickjacking.

The Set on
In our demonstration, Amit showed off a game based off the popular Tv series Rick and Morty. The goal of the game was to tap a grapheme as he moved effectually the screen, whack-a-mole way.

While he was borer, the game was actually hijacking the taps in order to grant the game permission to use the Android Accessibility framework. At no betoken do the warning letters from the operating organisation appear. Instead the victim'south taps in the game are translated on to the subconscious dialog boxes.

This is clickjacking, where a user's input is invisibly rerouted for another purpose. It's virtually unremarkably seen on malicious webpages, where clicks are used to open up other windows, or secretly view sites in society to push malicious software or earn money through affiliate advertizing.

In one case the malicious app can use the accessibility tools, information technology can run across every keystroke the user enters in whatever app. In the sit-in PCMag saw, an email typed in the Gmail app was painstakingly captured past the malicious app.

But this app can exercise more. Using the accessibility framework, the app is so able to get Device Administrator access on the device. This is a special, privileged level of access usually reserved for trusted security apps or Google. The Android Device Manager, for example, uses Device Admin privileges to remotely lock, wipe, and locate lost Android devices.

In the demo we saw, the malicious app merely flashed an epitome on the screen—again, taken from Rick and Morty. There was no flicker, or any indication that something was amiss, but in the background the app had granted itself Device Admin. Once it has this level of access, the malicious app and its author now take a lot of control over a victim's device.

Device Admin is different from root admission, and in fact the Android phone we saw was never rooted at any point in the demonstration. But Amit says that's function of the beauty of this attack. Root access can be difficult to get, and it's a unsafe move that will send up scarlet flags. Device Admin, on the other hand, tin go unnoticed unless the victim checks their security settings.

"The beauty of it is that it doesn't require rooting, but we still see everything the victim is doing and have deportment," Amit told PCMag.

The Bulk of Android at Risk
Google made changes to Android's accessibility framework in version 5.0 of Android, which prevents specific buttons from being hijacked in this manner. Version six.0 appears to be immune also.

But because of the fractured nature of Android, Google reports that merely a combined 35 percent of Android users that visit the Google Play store are using either of these versions. Using those numbers, Skycure estimates that about 66 per centum of Android phones could exist susceptible to this attack. The phone we saw that attack demonstrated on ran Android iv.iv Kitkat.

Staying Safe
Thankfully, it'due south easy to check if an attacker is taking advantage of this vulnerability. Simply open your accessibility settings and brand certain that you recognize and corroborate of every service on the listing. Y'all can do the same for Device Admin.

As always, the best fashion to avoid malware is to stick with the Google Play shop. While not infallible, the Play store is an splendid first line of defense against malware. Yet, when asked if his sit-in app would exist accepted to the Play store, Amit said it was entirely possible since it just asked for a unmarried permission: to draw over apps. Amit pointed out that trusted apps like Facebook besides use this permission.

The app Skycure used in its demonstration isn't available for download, just Amit pointed out it'due south more than only a proof of concept. He said that Symantec had previously detected clickjacking malware chosen Android.Lockdroid.E that used the technique obtained admin admission on Android devices.

Given all that, Amit sees a future in this kind of assault. "We expect to encounter more than attacks like this in the wild in the very near future," he said.

This commodity originally appeared on PCMag.com.

Source: https://sea.pcmag.com/apps/10780/devastating-vulnerability-affects-66-percent-of-android-phones

Posted by: alanizthates.blogspot.com

Share this post